Sunday, June 30, 2013

How Anonymous is Bitcoin?

After a number of discussions at Porcfest, the Free State Project's annual get together, I think I now understand the essentials, although not the mathematical details, of how Bitcoin works. If I correctly understand it, it is well suited to be a private online currency but poorly suited as an anonymous currency, although there may be ways of converting it into one.

This is how I think it works—those more familiar with it are welcome to correct any errors:

1. A bitcoin is created by "mining," finding a solution to a particular mathematical problem. The problem has a known number of solutions, about half of which have so far been found, so about half of all bitcoins that will be mined have been.

2. Someone who has mined a bitcoin informs all other users of bitcoins that he has done so in a way that demonstrates the existence of his solution and prevents anyone else from claiming to be the miner of that particular bitcoin. It is now his.

3. Any transfer of bitcoins (or fractional bitcoins—they are very divisible) is publicized to all users of bitcoins. Hence, at any instant, every user has access to a complete list of who owns every bitcoin or fractional bitcoin in existence.

4. Users are identified not by realspace identity but by the public key of the wallet in which they store bitcoins. One individual can have an unlimited number of wallets.

5. Any disagreement about who owns what bitcoin can be settled by checking the lists of two or more users—many more if someone is trying to deliberately spoof the system by creating fake lists that show him owning bitcoins that he does not actually own.

One way of understanding the economics of the Bitcoin system is to analogize it to a hundred percent reserve commodity money. Each bitcoin corresponds to a one ounce ingot of gold. All of the gold sits in a bank somewhere which keeps track of who owns which ingot or fractional ingot. Payments are made by changing the label on the ingot. Mining bitcoins corresponds to mining physical gold, casting it into a one ounce ingot, and putting it in the bank labeled as belonging to the miner.

Seen from this standpoint, the bitcoin system has both the advantages and the disadvantages of a commodity money or hundred percent reserve banking system. The disadvantage, relative to a fiat money or fractional reserve system, is that the creation of money consumes real resources—time and effort to mine gold, computer processing time to mine bitcoins. The advantage (and disadvantage) is that the value of the money depends on factors not under the control of any government or central bank. That is a disadvantage if you expect a central bank to do a good job of managing a currency or expect the factors controlling the supply and demand for a commodity currency to change unpredictably. It is an advantage if you are concerned that central banks (or governments) will do bad job of managing a currency, for instance inflating for short term political benefits, as a way of funding government via money creation, or as a way of inflating away government (or private) debts.

The Bitcoin system differs from what I have analogized it to in three interesting ways.

1. The record of ownership is radically decentralized—there is no bank holding the bitcoins and keeping track of who each one belongs to. This means that the system does not depend, as other schemes for anonymous digital currency do, on a trusted bank, hence that it does not depend on the existence of a government willing to defend it. A fully anonymous digital currency makes money laundering laws unenforceable, which means that most governments don't want such a currency to exist, which is probably why, prior to Bitcoin, there were no such currencies.

2. The value of bitcoins, like the value of gold, depends in part on mining technology. But the total quantity of bitcoins has a known upper bound. This is both an advantage and a disadvantage from the standpoint of making future value predictable. A bitcoin hyperinflation due to a large increase in supply is impossible, however cheap computing power might become. But bitcoins are more vulnerable than a gold currency would be to changes in value, in particular increases in value, due to changes in demand. If the demand for gold increases, the resulting increase in its price will result in more gold being mined, holding down the price increase (increase in the price of gold, corresponding to a fall in prices measured in gold). The corresponding effect for bitcoins is limited by the limited quantity of bitcoins available to be mined, a much tighter limit than the limit on total gold available to be mined.

If you hold bitcoins, an increase in their value is a good thing. But if you are making future contracts in terms of bitcoins, uncertainty in their value, in either direction, is a bad thing, since it means that the real terms of your contract are subject to random change.

What about reduction in value due to a decrease in demand? In the case of both gold and bitcoins, the existing stock is already out there, so a drop in value only reduces the rate at which it is increased by mining. But gold, unlike bitcoins, has nonmonetary uses, which limit by how much its value will fall in response to a drop in monetary demand. Bitcoins have no nonmonetary demand.

3. A bank holding deposits of gold has a record of what account owns which ingot, but that record need not be public. The record of what wallet owns each bitcoin, on the other hand, is available to every user. This means that bitcoins, used as I have described, are not only not an anonymous currency, they are in a sense the least anonymous currency ever created.

The distinction between wallet and owner provides some degree of anonymity, analogous to the anonymity provided by a numbered Swiss bank account. To see the limits of that anonymity, imagine that the FBI decides that the Free State Project is a subversive organization—as, in a sense, it is. An FBI agent procures some bitcoins and uses them to pay for his registration at Porcfest. He now has the public key of a wallet connected to the Project—call it wallet A. If he wants to find out whether some suspicious person that uses bitcoins has ties to the Project, he makes a payment to that person's wallet and then checks to see if it has ever sent or received a payment to or from wallet A, or to a wallet that has sent or received a payment to or from wallet A, or ... . He can, in other words, engage in traffic analysis using only public information—no need to tap any phones.

There are, I gather, solutions to this problem, ways in which a group of wallets can put their bitcoins into a pool, retrieve a corresponding number from the pool, and so break the link between coin and wallet. I do not believe that any such solution is currently in routine use, but would be happy to discover that I am mistaken.

Corrections on that or any other part of this description welcome.

P.S. Lots of interesting corrections of details and additional information in the comment thread.

23 Comments:

Actually, there are already Bitcoin forwarding services where a service provider holds one or more wallets, accepts payments and forwards the same sum (but another coin) to a new address, taking a small fee for the service. Because hundreds or thousands of people both send and receive money from the wallets, no incoming and outgoing payment can be connected to an individual user. All an outsider can see is that person A paid a certain sum to the forwarding service, and person B got a similar sum from the service.

I read this article recently about an additional protocol to turn Bitcoin into a truly anonymous digitical cash:

Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.

In the bitcoin world the laundering services that Toni mentioned are usually called wallet mixing services. There are at least 3 services doing this, although I'm sure there are more to be found just a google search away.

Using mixing services and TOR provides a pretty solid layer of protection for anyone looking to have truly anonymous exchange.

Not important in context, but for completeness, point 1 is not correct: A miner collects multiple bitcoins; the number collected halves periodically. It started as 50; currently it's 25. And the limit on the ultimate number of bitcoins, 21 million, is arbitrary, not related to the computational task required to mine.

You do have a few small mistakes in your exposition, though your analysis seems largely sound.

There's not one single mathematical problem with many unknown solutions; each bitcoin is a solution to a slightly different problem. Each problem cannot be known until the previous problem is solved, and the problems get harder as the computation power of the network increases. So the supply of bitcoin doesn't respond to changes in demand the way gold does. (Imagine if the difficulty of mining an ounce of gold were proportional to the number of pickaxes in the world.)

Also, you don't really need to check "many more than two" copies of the ownership list. Creating fake lists is computationally difficult in proportion to the length of the list after the fake edit. So once the list is long enough, you can be pretty confident (even from seeing only one copy) that the coin you're looking at is genuine. This has the advantage, as you say, that there's no need to consult a centralized, trusted bank to find out who owns which bitcoin. It has the disadvantage that the certainty of ownership only increases over time; it takes about an hour before you can be really confident that any given transaction is safe.

It also may be worth pointing out that the process of bitcoin exchange is very nearly a perfect market, and should thus stay quite cheap. Physical fiat currencies with open circulation require expensive anti-counterfeit measures; digital currencies with trusted third parties are subject to price-fixing oligopolies--which is why it *still* costs a ridiculous amount of money (e.g. the greater of 2.75% or $0.50) to move wealth across the internet.

Another addition id like to make (as a relative bitcoin noob, so FWIW):

The way I understand it, the fact that bitcoin mining costs physical resources is part of what makes the system reliable.

The mining process and the transaction verification process are interrelated. One cannot just insert junk information into the network; contributing information that isn't readily falsifiable requires real resources. That's not a bug, but a feature that enables it distributed nature. 'spamming' the network with bogus self-serving transactions is ridiculously costly; only if you control more than half of the computational power in the network might it start paying off.

> Are you saying that bitcoin allows me to push money to your wallet without your consent?

Yes, Bitcoin lets you give people money without their consent.

> it is well suited to be a private online currency but poorly suited as an anonymous currency, although there may be ways of converting it into one.

I would actually say it's the opposite: Bitcoin is semi-anonymous but not private. At Porcfest, at one point I lent someone 0.2 BTC to buy breakfast, and was able to see that they bought something for ~$4.05 from the blockchain. Since there were only a limited number of products available, I was almost able to guess what he bought just from the price. So it's not private, at least by default. But you can easily fix that: deposit all your coins to an exchange, withdraw them immediately after. And it is anonymous because while you can tell what's happening, you have no way of knowing (aside from data mining, which is a problem) who owns each Bitcoin address.

> The value of bitcoins, like the value of gold, depends in part on mining technology.

Actually, this is false (or rather, true to a very very limited extent). The algorithm is calibrated so that one new block (currently 25 BTC, it follows a preset exponential decay function) is released every 10 minutes, no matter how many miners are out there. If mining power goes up 10x, every miner will get 0.1x as much. I say true to a very limited extent because the calibration is not instant, so for example the current growth of ASICs is pushing the average to one block per 8 minutes, but I don't see anything (barring quantum computing) pushing it outside the 8-10 range.

> Presumably it would be possible to layer a fractional reserve system on top of Bitcoin, no?

Yes. Bitcoin does not ban fractional reserve; any system that does would necessarily be quite restrictive in a lot of other, undesirable, ways. However, Bitcoin does make it less profitable. Why do people keep money in their fractional-reserve bank accounts? They are certainly not chasing the 0.25% interest that the banks give you there days. The real reason is, you need to in order to meaningfully participate in the digital economy. With Bitcoin, the base unit is digital, so you only use banks if you want to - making them much less powerful.

"The disadvantage, relative to a fiat money or fractional reserve system, is that the creation of money consumes real resources—time and effort to mine gold, computer processing time to mine bitcoins."

Gold mining contributes nothing to a gold-money system, but bitcoin mining is essential to the operation of bitcoin. So it's a false analogy.

There is one important detail missing from you description. Bitcoins are mined at a near-constant rate, irrespectively of how much computing power is thrown at them. Essentially, there is a lottery every 10 minutes where a fixed mining reward (currently 25 BTC, but halved every 4 years, we are already past the first halving) going to the lucky miner. The amount of computing power thrown at mining is analogous to the number of lottery tickets. But only one wins.

So the supply of BTC is highly predictable and does not change at all with demand. If demand goes up, price goes up, more power is wasted on mining, but the supply stays the same.

That statement is perhaps true in the sense that without using anonymity techniques like mixing (https://en.bitcoin.it/wiki/Mixing_service), one's virtual identity can possibly be tracked by anyone with ease. However, a bank account or credit card is inextricably tied to one's real-space identity, and Bitcoins are not. So an observer might track all the transactions to/from a bitcoin address, but determining the real-space identity of the wallet's owner is often a nontrivial problem. Then again, @vub's example from Porcfest does indicate that in some circumstances, it's quite trivial indeed.

Other than the anonymity problem, which is an interesting one, the puzzler for me regarding Bitcoin is the presence of close substitutes. In most markets, close substitutes for a product increase the supply of products filling the same function, which should decrease the price. Because anyone can make a knock-off Bitcoin that does _exactly_ the same thing as Bitcoin -- which many people have done (https://en.wikipedia.org/wiki/List_of_cryptocurrencies) -- there is an infinite supply of alternative products, and thus the price of Bitcoins should, for that reason, be 0. If someone could make a knock-off Apple product that is functionally identical to the real thing (including features, look-and-feel, quality, etc.) with a cost of $0, who wouldn't have one in every room of their house? Similarly, when there are 1000 alternative crypto-currencies, will the price of a Bitcoin be the same as it was when there were 10 crypto-currencies?

Speaking of Porcfest, where can we hear the talks that you gave at the event? Your recent talks page (http://daviddfriedman.com/MyTalks/MyRecentTalks.html) doesn't have the audio listed, and I can't find any recordings for the talks at porcfest.com or freestateproject.org.

David, you may be interested in how some professional Computer Scientists experienced with the problem attacked the transaction log to learn information from it. The people in question are quite famous -- Shamir is a co-inventor of RSA public key cryptography.

Regarding contracts, there is no reason why amounts need to be denominated in bitcoins. Some companies could specialize in publishing indices used as unit of account. Good money needs not be the unit of account in a modern economy.

If someone could make a knock-off Apple product that is functionally identical to the real thing (including features, look-and-feel, quality, etc.) with a cost of $0, who wouldn't have one in every room of their house?

The answer to that seems clear to me: the usefulness of each cryptocurrency increases with the number of users. So 0.001% of a currency which a million people use might be worth more than 10% of a currency which 1000 people use, even if they cost the same price to buy.

Also the obvious solution to loans is to attach them commodity bundles. I think DF already gave this answer when talking about gold standard deflation.

On the contrary, the Bitcoin network is a decentralized transaction log that is based on proof-of-work and is thus virtually immune to fraud. I can hash a secret into a Bitcoin address, send a small amount of Bitcoin to that address, and from that point forward the Bitcoin network can verify the fact that I knew that secret at that time.

The secret could be a paper describing an invention of mine, and if I was ever challenged in court to prove that I had the idea before someone else (I'm not a fan of intellectual property protection, but it works well as an example), I could show my secret, hash it, then show that 1,000 nodes on the Bitcoin network agree that 0.01 Bitcoin were sent to that address 2 years ago. Given that the Bitcoin network says this (and assuming the court can be convinced of the soundness of the mathematics involved), the court knows that there are only 3 possibilities:

1. This is a coincidence, and I just happened to find a 2 year old Bitcoin transaction with the hash value of my secret. This is possible, but exceedingly unlikely.

2. I have committed fraud on the Bitcoin network. This requires me to control a significant portion of the computing resources running the Bitcoin network, and is thus almost certainly economically unfeasible.

3. I was in possession of my secret (and thus had the idea of the invention) two years ago.

Notice that this process requires a small amount of Bitcoin to essentially be destroyed, because no one is in possession of the private key of the address I sent my secret to, and therefore no one can prove that they own the 0.01 Bitcoin I sent to the address. This could theoretically have a negative impact on the other (monetary) use of Bitcoin, making it even more deflationary than planned (the same goes for people losing or forgetting the passphrase to their Bitcoin wallets).

Using the Bitcoin network as a store of value or means of exchange is only one (and, dare I say, a short-sighted) benefit. Proof-of-work systems have been proposed as a way of preventing denial of service attacks on computer systems by making them economically nonviable. Bitcoin is essentially a massive decentralized transaction log based on proof-of-work. It's awesome, and I contend that Bitcoins have considerable nonmonetary value.

Useful links:

http://en.wikipedia.org/wiki/Proof-of-work_system

People have proposed using the Bitcoin network as a way to track the ownership of virtual property, like items in an MMORPG:

"The disadvantage, relative to a fiat money or fractional reserve system, is that the creation of money consumes real resources—time and effort to mine gold, computer processing time to mine bitcoins."

You can't claim that a disadvantage to a new "money" (I'm not claiming it's money, you are) is a quality inherent to money in toto.

That's like saying "a disadvantage to this universe is that ball can't be painted completely red and completely blue at the same time".

The creation of a fiat money does not consume real resources in the same sense--something must be spent to print the notes, but the amount is unconnected with their value. A fractional reserve money based on a commodity consumes some real resources, but only a fraction of the amount consumed by a hundred percent or pure commodity money with the same purchasing power, which is what bitcoin is equivalent to.